Spambots are here to stay, so learn from it

The headline reads, “FBI warns of new malware targeting bank accounts.” The headline could just as well say, “More new victims born from opening emails.” From the simple act of opening an email and clicking on an attachment, the victim’s username and password to their bank accounts are stolen by a process called keylogging, where the info is presto, logged directly from your very fingers as you type in your credentials.

What’s scary is that bogus emails can appear to come from someone you know is a legitimate sender. Today’s new malware is called Gameover, and the email is seemingly sent from the Federal Reserve Bank or from the FDIC. Gameover is a modified version of the infamous Zeus malware that never seems to die.

These misleading emails have convinced many people – including C-level executives – to inadvertently reveal their individual or organization’s sensitive information.

Cybercriminals have grown in sophistication on par with the largest of organized crime rings. Years are spent developing these attack vectors via intelligence gathering through social engineering. They use spear phishing methods to aim directly at a defense contractor like Raytheon, or a government entity to obtain classified information. By working stealthily and patiently, over time these criminals can bypass network security controls.

Some of the most high-profile targeted attacks last year included the RSA hack, and subsequent attacks on Lockheed Martin and the International Monetary Fund. Companies of all sizes are actively taking part in these schemes. I say “actively” because companies are aiding and abetting the proliferation of spambots without awareness.

Nearly everyone complains about spam, but how many people know that their own PCs are most likely responsible for sending it? Designers of spambots (aka “botnets”) – create malware that converts the PCs of unsuspecting Internet users into spam-generating zombies. By using a fraction of processing power from thousands of PCs daisy chained together, these spambots manage to send billions of unwanted e-mails without the PC’s owner ever noticing.

A recent example is Rustock. One of the world’s largest spam botnets, Rustock infected more than 1 million PCs and generated 30-44 billion unwanted e-mails – about 48% of all the junk e-mails sent, according to the security company Symantec. Yet few have heard of it. Symantec estimates there are about 3.5 million to 5.4 million botnets worldwide.

Stealth is the name of the malware game, which is why we will continue to see new spambots rise up to fill the void left by Rustock and its predecessors.

From individual home users to Fortune 500 companies, countless web citizens are being affected daily. But unlike widely publicized exploits of yore (remember the ILOVEYOU and Melissa attacks?), today’s spambots prefer to operate in the dark. They actively avoid publicity so the average person doesn’t know about it and therefore won’t be scanning to purge it.

Many attack methods successfully avoid detection by traditional security mechanisms. That’s because new detection avoidance schemes are increasingly sophisticated. Like something organic and Darwinian, malware can have the power to continuously mutate, changing its signature in the process. Attackers work to avoid creating recognizable patterns of attack. Often, intruders install backdoors for easy re-entry. There seem to be limitless ways of eluding detection by anti-malware tools. Heuristics and fuzzy logic tools may be an improvement, but they are a far cry from meeting the detection needs of most organizations.

All of this begs the question, what steps can you take to prevent your organization from becoming the target of an attack? Is there any way to stamp out spambots?

Probably the best way is to put into place a regular vulnerability testing program to identify weaknesses and quickly address those found. These systems basically scan computers and networks sniffing out holes much like professional hackers do. They find back doors typically left open and unnoticed by other methods.

By conducting regular internal and external vulnerability testing to identify weaknesses, set priorities, and monitor remediation results, your organization will be put into a better position to ward off the bad guys.

About the Author:

Michelle Drolet is founder and CEO of Towerwall, an IT security services provider in Framingham, MA with clients such as Bose, Raytheon, Middlesex Savings Bank, law firms and SMBs.